The Department of Health and Human Services (HHS) announced yesterday that the Alaska Department of Health and Social Services, Alaska’s State Medicaid agency (Alaska Medicaid), has agreed to pay $1.7 million to HHS to settle potential violations of the HIPAA Security Rule. This is HHS’s first HIPAA enforcement action against a State agency, and HHS stated in the press release that it “expect[s] organizations to comply with their obligations under [the HIPAA rules] regardless of whether they are private or public entities.”

HHS’s Office for Civil Rights (OCR) began investigating Alaska Medicaid after receiving a breach report from the agency in October 2009. The report indicated that a portable electronic storage device potentially containing electronic protected health information (e-PHI) was stolen from the vehicle of a computer technician employed by the State. HHS subsequently determined through its investigation that Alaska Medicaid had not complied with HIPAA Security Rule requirements to:

complete a risk analysis;

implement sufficient risk management measures;

complete security training for its workforce members;

implement device and media controls; and

address device and media encryption.

To settle these potential violations, Alaska Medicaid entered into a resolution agreement with HHS under which it agreed to pay $1.7 million. The agency also agreed to comply with a corrective action plan that requires it to, among other things:

develop and implement specific policies and procedures that address the issues identified in the investigation;

train all members of its workforce who have access to e-PHI on the HIPAA Security rule and the new policies and procedures;

conduct a risk assessment and provide a description of proposed risk management measures to HHS; and

appoint a monitor to report to OCR regularly on the State’s compliance efforts.

This enforcement action against Alaska Medicaid suggests that HHS will be taking a closer look at HIPAA compliance by State Medicaid agencies, particularly given the number of agencies that have reported data breaches in recent months.